Fake calculators are laughable, so why not create my own?

Ah yes, there’s always a group of impostors for a calculator. Down to the designs.

This classic model from Citizen has been copied by other brands to make their own. But after all, they are just the same.

Oh yeah, I almost forgot to mention interesting impostors of (older generation of) Casio scientific calculators. I mean, look!

Well, time to start a new calculator brand, I guess…

Our investigation on Pos Indonesia phishing and scamming attempt.

You are receiving this message as we have found you as the official contact address or representative of one of the following:

  • Cloudflare (https://cloudflare.com/), as we found the suspected site uses Cloudflare’s website protection service,
  • NOBU National Bank (https://www.nobubank.com/), as we found payment details linked to the bank,
  • Pos Indonesia (https://posindonesia.co.id/), to notify on a recent phishing attack claiming on behalf of the company,
  • Representative(s) of Ministry of Communication and Informatics, Republic of Indonesia (https://kominfo.go.id/) who are taking part in SMS and internet regulations,
  • Operators of the s.id URL shortening service (https://s.id/), as the phishing actor uses their service to shorten the offending URL(s), and
  • Webnic (https://www.webnic.cc/), as the domain registrar of the suspected site.

We have recently found a lucky draw phishing attempt which uses your service and/or intellectual properties which claims on behalf of Pos Indonesia, the Indonesian state-owned post office and delivery service.

The suspected site is located on https://posgiroindonesia.com/, which was registered through Webnic on March 12th, 2022, 01:48:36 UTC as found on the domain’s WHOIS entry:

Domain Name: posgiroindonesia.com Registry Domain ID: 2681013274_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.webnic.cc Registrar URL: webnic.cc Updated Date: 2022-03-12T01:50:04Z Creation Date: 2022-03-12T01:48:36Z Expiration Date: 2023-03-12T01:48:36Z Registrar: WEBCC Registrar IANA ID: 460 Registrar Abuse Contact Email: compliance_abuse@webnic.cc Registrar Abuse Contact Phone: +60.389966799 Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Not Available From Registry Registrant Name: Domain Admin Registrant Organization: Whoisprotection.cc Registrant Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil Registrant City: Kuala Lumpur Registrant State/Province: Wilayah Persekutuan Registrant Postal Code: 57000 Registrant Country: Malaysia Registrant Phone: +60.389966788 Registrant Phone Ext: Registrant Fax: +603.89966788 Registrant Fax Ext: Registrant Email: reg_19705533@whoisprotection.cc Registry Admin ID: Not Available From Registry Admin Name: Domain Admin Admin Organization: Whoisprotection.cc Admin Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil Admin City: Kuala Lumpur Admin State/Province: Wilayah Persekutuan Admin Postal Code: 57000 Admin Country: Malaysia Admin Phone: +60.389966788 Admin Phone Ext: Admin Fax: +603.89966788 Admin Fax Ext: Admin Email: adm_19705533@whoisprotection.cc Registry Tech ID: Not Available From Registry Tech Name: Domain Admin Tech Organization: Whoisprotection.cc Tech Street: L4-E-2, Level 4, Enterprise 4, Technology Park Malaysia, Bukit Jalil Tech City: Kuala Lumpur Tech State/Province: Wilayah Persekutuan Tech Postal Code: 57000 Tech Country: Malaysia Tech Phone: +60.389966788 Tech Phone Ext: Tech Fax: +603.89966788 Tech Fax Ext: Tech Email: tec_19705533@whoisprotection.cc Name Server: DOM.NS.CLOUDFLARE.COM Name Server: TERESA.NS.CLOUDFLARE.COM DNSSEC: unsigned URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/ >>> Last update of WHOIS database: 2022-03-12T01:50:04Z <<<
Code language: CSS (css)

The site uses Cloudflare and a WHOIS protection service to protect their website and related identities.

Here, visiting https://posgiroindonesia.com/ directly will simply redirect the user to https://posindonesia.co.id/, the official website of Pos Indonesia. However, visiting the suspected URL with a special random ID will redirect the user into a special website, such as https://posgiroindonesia.com/cf62....e5b7.

The original webpage consists the victim’s name, mobile number, as well as home address. This is why we decided to redact these information (including the original, offending URL) when publishing this report to our official website at https://reinhart1010.id/.

The phishing website is powered by Laravel, a PHP-based web development framework, which further suggests that the site is being hosted on a LAMP (Linux-Apache-MySQL/MariaDB-PHP)-based web server.

However, we could not identify the web hosting provider of this website as the site is being protected by Cloudflare. In technical terms, performing a WHOIS entry lookup on each of IP addresses linked to the posgiroindonesia.com‘s DNS entry will simply return a list of Cloudflare-managed servers, instead of the original web server which runs the website.

When pressing the “Claim” button shown on the above screenshot, the site performs a HTTP POST request to return a valid QR code for use in QRIS, the national QR-based payment system which is based on EMVCo’s QR Code Specification for Payment Systems.

Here, understanding the EMVCo’s specification for merchant-presented payment QR codes is crucial to identify the threat actor. The above QR code contains the following payload:

00020101021226670016COM.NOBUBANK.WWW01189360050300000839560214531186424655810303UME51440014ID.CO.QRIS.WWW0215ID20221563643500303UME5204549953033605409251990.005802ID5903MRS6015JAKARTA SELATAN61051221062770114031300054398220525c6bf0ed4fb2cec5f40ed066cd061920220313165000231530703A016304EFF2
Code language: CSS (css)

Which suggests that:

  1. The QR code declares itself as a dynamic payment QR code (“QRIS Dinamis”), which are more commonly used in payment gateways, EDC machines, and SaaS-based POS systems rather than a static QR code (“QRIS Statis”) which is commonly printed as stickers in brochures and shops.
  2. The QR code was created on behalf of “MRS” instead of “Pos Indonesia”, which is intentional to avoid rejection by Indonesian banks, digital wallets, and payment providers who are eligible to issue new QRIS payment QR codes.
  3. The National Merchant ID (NMID) of the suspected scammer’s merchant is ID2022156364350.
  4. The merchant falls under the “Convenience and Specialty Stores” (5499) category, according to the QR’s metadata. Similarly, we also have a valid static QRIS code (pictured below) which also falls under this exact category, despite declaring ourselves as a “Software house and SaaS provider” when requesting one from our QRIS issuer.
Our official QRIS QR code. Original payload: 00020101021126680016ID.CO.TELKOM.WWW011893600898029003487302150001952900348730303UMI51440014ID.CO.QRIS.WWW0215ID10221477541080303UMI5204549953033605502015802ID5925REINHART PREVIANO KOENTJO6015KOTA JAKARTA PU61051026062220511100027433310703A1763040D45
  1. The QR code was issued by neither any Indonesian state-owned banks (BNI, BRI, BTN, Bank Mandiri) nor Pospay, a digital wallet service owned by Pos Indonesia itself.
  2. Instead, the QR code was issued by NOBU National Bank, a privately-owned Indonesian bank, with the internal merchant PAN of 936005030000083956 and internal merchant ID of 53118642465581.
  3. Since the QR code was created dynamically (see Point 1) and issued by NOBU (see Point 6), we can highly assume that the scammer abuses NOBU’s online payment gateway system to generate dynamic QRIS payment codes for phishing and scamming purposes.

Note that we cannot further identify the scammer beyond this point. However, it is fairly easy for NOBU and legal authorities to further investigate and capture these scammers, as valid Indonesian IDs are still required to request new QRIS codes from authorized issuers, which can be found on https://www.aspi-indonesia.or.id/standar-dan-layanan/qris/.

Here, we decided to notify related parties in the following order to help legal authorities validate this issue before revoking access to both QRIS merchant account and the suspected website.

  1. NOBU National Bank and Pos Indonesia
  2. s.id URL shortening service and Ministry of Communication and Informatics of Republic of Indonesia
  3. Cloudflare and Webnic

We value your cooperation in resolving this issue. In fact, we know that most of our contacted parties are still actively fighting online scams from Indonesia and all around the world. We understand that this type of scam is fairly new, hence stopping this scam website in the first place marks a great start in stopping future QRIS-based online scams.

IMPORTANT NOTE: If you are voluntarily reading this from Indonesia, please do not give donations directly to our own QRIS payment code as shown on this blog post. Instead, you may support us through a number of ways, including sites such as Saweria and Trakteer which also supports payments from e-wallets and QRIS.

Update 1: March 15, 2022

We forwarded the issue to NOBU National Bank via their official WhatsApp account. However, the bank rejected our report for not submitting transaction evidences with the scammer. The bank expects users to report scams after they’re being scammed, or in their own terms, “experiencing financial losses”.

Meanwhile, the website was experiencing 500: Internal Server Error. The site is broken, I guess. But we decided to forward this issue to Cloudflare and Google Safe Browsing as well.

Update 2: March 18, 2022

We’re still curious enough to check whether the scam site is still working. Our Cloudflare and Google Safe Browsing reports didn’t have any effects, though.

However, what’s changing here is that the “Claim” button redirects to a checkout page generated by Xendit, a Southeast Asia payment gateway, in case you’re already familiar with Square and Stripe. This time, the merchant claimed to be “POSGIRO” instead of “MRS”. The original invoice URL is https://checkout.xendit.co/web/6234b85f9820c061fbb94cfd.

What a real Pos Indonesia checkout page look like?

Some people also asked us whether there are clear examples of Pos Indonesia’s real checkout page. Fortunately, we have one answer, on va.posindonesia.co.id, right when we receive an import tax bill to get our Hacktoberfest 2021 prizes mailed to our home address.* Here’s another QRIS for you to analyze:

The original payload here is:

Code language: CSS (css)

Which clearly states that this is a dynamic payment QR code (“QRIS Dinamis”) issued right from Pos Indonesia! At least for their own postal and delivery services as well as Pospay merchants out there.

grebek salah satu iklan vscode;

oh hai semua! hari ini gw bakal review extension vscode yang satu ini:

hah, kok iklan slot judi ya?

btw, extension vscode yang satu ini punya identifier slot-online-terpercaya.slot-terbaik-indonesia-2022; dan biar aman kita bakal grebek source code extensionnya!

pertama-tama, situs Visual Studio Marketplace tetep bakal nyuruh kalian buka vscode untuk download extensionnya; tapi gw pingin download file .vsix nya saja;

tapi untungnya WAKTU ITU kita bisa wget https://slot-online-terpercaya.gallery.vsassets.io/_apis/public/gallery/publisher/slot-online-terpercaya/extension/slot-terbaik-indonesia-2022/0.0.1/assetbyname/Microsoft.VisualStudio.Services.VSIXPackage buat download packagenya secara langsung; kita rename filenya jadi judi.zip dan diekstrak seperti biasa;

ini adalah isi dari extension/extension.js nya yang gw mau!

// The module 'vscode' contains the VS Code extensibility API // Import the module and reference it with the alias vscode in your code below const vscode = require('vscode'); // this method is called when your extension is activated // your extension is activated the very first time the command is executed /** * @param {vscode.ExtensionContext} context */ function activate(context) { // Use the console to output diagnostic information (console.log) and errors (console.error) // This line of code will only be executed once when your extension is activated console.log('Congratulations, your extension "slot-olympus" is now active!'); // The command has been defined in the package.json file // Now provide the implementation of the command with registerCommand // The commandId parameter must match the command field in package.json let disposable = vscode.commands.registerCommand('slot-olympus.duta', function () { // The code you place here will be executed every time your command is executed // Display a message box to the user vscode.window.showInformationMessage('Hello World from Bocoran Trik Slot Gacor Olympus Gampang Jackpot, Slot4D.!'); }); context.subscriptions.push(disposable); } // this method is called when your extension is deactivated function deactivate() {} module.exports = { activate, deactivate }
Code language: JavaScript (javascript)

ya, dari sini kita bisa bilang ini cuman extension dummy; mereka cuman ngandalin README.md biar bisa ngiklanin diri di Visual Studio Marketplace;

review palsu pengguna

seperti biasa ada juga beberapa user yang naruh testimoni di sana;

kok bisa ngerambah ke vscode ya?

pertama-tama, gw yakin yang bikin iklan ini adalah orang/developer di balik situs-situs judi tersebut; karena untuk bisa bikin extension di vscode kalian harus mahir pakai javascript dan nodejs;

yah, seandainya kalau extension ini dipublish langsung di GitHub, kita bisa follow si developer websitenya; salam kenal, btw;

oke sekian grebek extension hari ini; eh katanya masih ada banyak iklan judi online lagi ya!?

Buat akun baru di situs OSS. Lah, passwordnya ✨bocor✨ via email.

OSS (oss.go.id) atau yang dikenal sebagai Online Single Submission adalah sistem pendaftaran dan manajemen perijinan usaha yang dikelola oleh Kementerian Investasi / BKPM Republik Indonesia.

Artinya, kalau mau bikin UMKM baru secara sah/legal, daftarnya langsung dari OSS kan?

Oke, kita bikin akun baru, konfirmasinya pakai email aja deh. Pas pendaftaran sudah selesai, gw malah dikirimin tipikal email yang pasti bakal gw buang dari sejarah per-emailan kita:

Ada yang salah di sini? Perasaan, tadi passwordnya gw masukkin seperti ini:

Password: ••••••••••••••••••••••••••••

Dan yang paling parah password yang harusnya secret ini juga terekspos secara plaintext. Artinya, setiap server email (baik servernya OSS dan juga server email kalian) dapat menyimpan password dan hak akses OSS secara sekejap!

Kok bisa? Coba cari kata $$W0Y$$p455w0rdny4$$B@C@R!!! atau bahkan Password dari payload asli email yang satu ini (beberapa headers disembunyikan):

Content-Type: text/html; charset=us-ascii From: Online Single Submission <noreply15@oss.go.id> Subject: Registrasi Hak Akses Sistem OSS To: alterine@reinhart1010.id Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Reply-To: kontak@oss.go.id Content-Length: 15205 <!DOCTYPE html> <html> <head> <meta name=3D"viewport" content=3D"width=3Ddevice-width"> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-8= "> <title>OSS - Kementerian Investasi/BKPM</title> <style> @media only screen and (max-width: 620px) { table[class=3D"body"] h1 { font-size: 28px !important; margin-bottom: 10px !important; } table[class=3D"body"] p, table[class=3D"body"] ul, table[class=3D"body"] ol, table[class=3D"body"] td, table[class=3D"body"] span, table[class=3D"body"] a { font-size: 16px !important; } table[class=3D"body"] .wrapper, table[class=3D"body"] .article { padding: 15px !important; } table[class=3D"body"] .content { padding: 0 !important; } table[class=3D"body"] .container { padding: 0 !important; width: 100% !important; } table[class=3D"body"] .main { border-left-width: 0 !important; border-radius: 14px 14px 0 0 !important; border-right-width: 0 !important; } table[class=3D"body"] .btn table { width: 100% !important; } table[class=3D"body"] .btn a { width: 100% !important; } table[class=3D"body"] .img-responsive { height: auto !important; max-width: 100% !important; width: auto !important; } } @media all { .ExternalClass { width: 100%; } .ExternalClass, .ExternalClass p, .ExternalClass span, .ExternalClass font, .ExternalClass td, .ExternalClass div { line-height: 100%; } .apple-link a { color: inherit !important; font-family: inherit !important; font-size: inherit !important; font-weight: inherit !important; line-height: inherit !important; text-decoration: none !important; } #MessageViewBody a { color: inherit; text-decoration: none; font-size: inherit; font-family: inherit; font-weight: inherit; line-height: inherit; } .btn-primary table td:hover { background-color: #034ea9 !important; } .btn-primary a:hover { background-color: #034ea9 !important; border-color: #034ea9 !important; } } </style> </head> <body class=3D"" style=3D"background-color: #fafafa; font-family: system-= ui, -apple-system, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif; -webkit-font-smoothing: antialiased; font-size= : 14px; line-height: 1.6; margin: 0; padding: 0; -ms-text-size-adjust: 100%= ; -webkit-text-size-adjust: 100%; border-bottom: 24px solid #9b1f15;"> <span class=3D"preheader" style=3D"color: transparent; display: none; h= eight: 0; max-height: 0; max-width: 0; opacity: 0; overflow: hidden; mso-hi= de: all; visibility: hidden; width: 0;">Terima kasih <b><span style=3D"colo= r: #034ea9">ALTERINE</span></b> telah melakukan aktivasi.</span> <table role=3D"presentation" border=3D"0" cellpadding=3D"0" cellspacing= =3D"0" class=3D"body" style=3D"border-collapse: separate; mso-table-lspace:= 0pt; mso-table-rspace: 0pt; background-color: #fafafa; width: 100%;" width= =3D"100%" bgcolor=3D"#fafafa"> <tr> <td style=3D"font-family: sans-serif; font-size: 14px; vertical-ali= gn: top;" valign=3D"top">&nbsp;</td> <td class=3D"container" style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: top; display: block; max-width: 650px; padding: 20p= x; margin: 0 auto;" valign=3D"top"> <div class=3D"content" style=3D"box-sizing: border-box; display: = block; margin: 0 auto; max-width: 650px; padding: 20px;"> <!-- START HEADER --> <div class=3D"header"> <table role=3D"presentation" border=3D"0" cellpadding=3D"0" c= ellspacing=3D"0" style=3D"border-collapse: separate; mso-table-lspace: 0pt;= mso-table-rspace: 0pt; width: 100%;" width=3D"100%"> <tr> <td class=3D"content-block" style=3D"font-family: sans-se= rif; font-size: 14px; vertical-align: top; padding-bottom: 10px; padding-to= p: 10px;" valign=3D"top"> <img src=3D"https://oss.go.id/email-assets/logo_oss_new= .png" alt=3D"OSS" height=3D"55" border=3D"0" style=3D"-ms-interpolation-mod= e: bicubic; max-width: 100%; border: 0; outline: none; text-decoration: non= e; display: block; margin-bottom: 20px;"> </td> </tr> </table> </div> <!-- END HEADER --> <!-- START CENTERED WHITE CONTAINER --> <table role=3D"presentation" class=3D"main" style=3D"border-col= lapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt; background: = #ffffff; border-radius: 24px; width: 100%; box-shadow: 0px 0px 22px rgba(0,= 0, 0, 0.1); border: 1px solid #EEEEEE;" width=3D"100%"> <!-- START MAIN CONTENT AREA --> <tr> <td class=3D"wrapper" style=3D"font-family: sans-serif; fon= t-size: 14px; vertical-align: top; box-sizing: border-box; padding: 35px;" = valign=3D"top"> <table role=3D"presentation" border=3D"0" cellpadding=3D"= 0" cellspacing=3D"0" style=3D"border-collapse: separate; mso-table-lspace: = 0pt; mso-table-rspace: 0pt; width: 100%;" width=3D"100%"> <tr> <td style=3D"font-family: sans-serif; font-size: 14px= ; vertical-align: top;" valign=3D"top"> <table cellspacing=3D"5px" cellpadding=3D"0" style= =3D"border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt= ; width: 100%;" width=3D"100%"> <tr> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: top;" valign=3D"top"> Terima kasih<b><span style=3D"color: #034ea9"= > ALTERINE </span></b>telah melakukan aktivasi. </td> </tr> </table> <table role=3D"presentation" border=3D"0" cellspaci= ng=3D"5px" cellpadding=3D"0" style=3D"border-collapse: separate; mso-table-= lspace: 0pt; mso-table-rspace: 0pt; width: 100%; margin-top: 16px; margin-b= ottom: 16px;" width=3D"100%"> <tr> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: top; background-color: #f7f7f7; padding: 12px 30px;= border-radius: 24px 0 0 24px;" bgcolor=3D"#f7f7f7" valign=3D"top"> Username </td> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: top; background-color: #f7f7f7; padding: 12px 30px;= border-radius: 0 22px 22px 0;" bgcolor=3D"#f7f7f7" valign=3D"top"> <b>alterine01013102022y</b> </td> </tr> <tr> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: top; background-color: #f7f7f7; padding: 12px 30px;= border-radius: 24px 0 0 24px;" bgcolor=3D"#f7f7f7" valign=3D"top"> Password </td> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: top; background-color: #f7f7f7; padding: 12px 30px;= border-radius: 0 22px 22px 0;" bgcolor=3D"#f7f7f7" valign=3D"top"> <b>$$W0Y$$p455w0rdny4$$B@C@R!!!</b> </td> </tr> </table> <table cellspacing=3D"5px" cellpadding=3D"0" style= =3D"border-collapse: separate; mso-table-lspace: 0pt; mso-table-rspace: 0pt= ; width: 100%;" width=3D"100%"> <tr> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: top;" valign=3D"top"> Silakan login pada sistem <a href=3D"https://ui-login.oss.go.id/login/"= target=3D"_blank" style=3D"color: #034ea9; text-decoration: none;">Online = Single Submission (OSS)</a> dengan menggunakan username dan password di a= tas. Untuk mengetahui tata cara pengajuan Perizina= n Berusaha, klik <a href=3D"http://oss.go.id/" style=3D"text-d= ecoration: underline; color: #034ea9;">tautan ini</a>. </td> </tr> </table> <table style=3D"border-collapse: separate; mso-tabl= e-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; margin-top: 14px;" width= =3D"100%"> <tr> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: top;" valign=3D"top"> Jika anda tidak melanjutkan proses pengajuan Perizinan Berusaha dalam jangka waktu 30 (tig= a puluh) hari, maka sistem akan membatalkan hak akses Anda secara otomatis. </td> </tr> <tr> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: top;" valign=3D"top"> <br><b>Salam,</b><br>Lembaga OSS - Kementeria= n Investasi/BKPM </td> </tr> <tr> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: top;" valign=3D"top"><hr style=3D"border: 0; border= -bottom: 1px solid #e6e7e8; margin: 24px 0;"></td> </tr> </table> <table style=3D"border-collapse: separate; mso-tabl= e-lspace: 0pt; mso-table-rspace: 0pt; width: 100%;" width=3D"100%"> <tr> <td width=3D"50" style=3D"font-family: sans-ser= if; font-size: 14px; vertical-align: top;" valign=3D"top"> <img src=3D"https://oss.go.id/email-assets/ic= on_whatsapp.png" alt=3D"OSS" width=3D"36" height=3D"36" border=3D"0" style= =3D"-ms-interpolation-mode: bicubic; max-width: 100%; border: 0; outline: n= one; text-decoration: none; display: inline-block; vertical-align: middle; = margin: 4px 0;"> </td> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: middle;" valign=3D"middle">+628116774642</td> </tr> <tr> <td width=3D"50" style=3D"font-family: sans-ser= if; font-size: 14px; vertical-align: top;" valign=3D"top"> <img src=3D"https://oss.go.id/email-assets/ic= on_message.png" alt=3D"OSS" width=3D"36" height=3D"36" border=3D"0" style= =3D"-ms-interpolation-mode: bicubic; max-width: 100%; border: 0; outline: n= one; text-decoration: none; display: inline-block; vertical-align: middle; = margin: 4px 0;"> </td> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: middle;" valign=3D"middle"> kontak@oss.go.id </td> </tr> <tr> <td width=3D"50" style=3D"font-family: sans-ser= if; font-size: 14px; vertical-align: top;" valign=3D"top"> <img src=3D"https://oss.go.id/email-assets/ic= on_location.png" alt=3D"OSS" width=3D"36" height=3D"36" border=3D"0" style= =3D"-ms-interpolation-mode: bicubic; max-width: 100%; border: 0; outline: n= one; text-decoration: none; display: inline-block; vertical-align: middle; = margin: 4px 0;"> </td> <td style=3D"font-family: sans-serif; font-size= : 14px; vertical-align: middle;" valign=3D"middle"> Jalan Jenderal Gatot Subroto No. 44<br> Jakarta 12190<br> Indonesia </td> </tr> </table> <table style=3D"border-collapse: separate; mso-tabl= e-lspace: 0pt; mso-table-rspace: 0pt; width: 100%; margin-top: 24px;" width= =3D"100%"> <tr> <td align=3D"center" style=3D"font-family: sans= -serif; font-size: 14px; vertical-align: top;" valign=3D"top"> <a href=3D"https://www.instagram.com/oss.go.i= d/" target=3D"_blank" style=3D"color: #034ea9; text-decoration: none; margi= n: 0 2px;"> <img src=3D"https://oss.go.id/email-assets/= icon_instagram.png" alt=3D"OSS" width=3D"32" height=3D"32" border=3D"0" sty= le=3D"-ms-interpolation-mode: bicubic; max-width: 100%; border: 0; outline:= none; text-decoration: none; display: inline-block;"> </a> <a href=3D"https://www.facebook.com/OSS-Indon= esia-109055061289447" target=3D"_blank" style=3D"color: #034ea9; text-decor= ation: none; margin: 0 2px;"> <img src=3D"https://oss.go.id/email-assets/= icon_facebook.png" alt=3D"OSS" width=3D"32" height=3D"32" border=3D"0" styl= e=3D"-ms-interpolation-mode: bicubic; max-width: 100%; border: 0; outline: = none; text-decoration: none; display: inline-block;"> </a> <a href=3D"https://twitter.com/OSS_id" target= =3D"_blank" style=3D"color: #034ea9; text-decoration: none; margin: 0 2px;"= > <img src=3D"https://oss.go.id/email-assets/= icon_twitter.png" alt=3D"OSS" width=3D"32" height=3D"32" border=3D"0" style= =3D"-ms-interpolation-mode: bicubic; max-width: 100%; border: 0; outline: n= one; text-decoration: none; display: inline-block;"> </a> <a href=3D"https://www.youtube.com/channel/UC= NNpwT4AJJGNbHytdB5iNgA" target=3D"_blank" style=3D"color: #034ea9; text-dec= oration: none; margin: 0 2px;"> <img src=3D"https://oss.go.id/email-assets/= icon_youtube.png" alt=3D"OSS" width=3D"32" height=3D"32" border=3D"0" style= =3D"-ms-interpolation-mode: bicubic; max-width: 100%; border: 0; outline: n= one; text-decoration: none; display: inline-block;"> </a> </td> </tr> </table> </td> </tr> </table> </td> </tr> <!-- END MAIN CONTENT AREA --> </table> <!-- END CENTERED WHITE CONTAINER --> </div> </td> <td style=3D"font-family: sans-serif; font-size: 14px; vertical-ali= gn: top;" valign=3D"top">&nbsp;</td> </tr> </table> </body> </html>
Code language: HTML, XML (xml)

Kalau kamu adalah robot yang setia membaca email dan HTML, kalian bisa langsung mengekstrak password yang sama dengan:

  1. Cek apa pengirimnya dari alamat email OSS (regexin aja /<noreply\d+@oss.go.id>/),
  2. Parse HTML
  3. Cari <table> yang ke-5,
  4. Untuk masing-masing <tr> ekstrak <td> yang ke-1

Dan kalau kamu adalah robot yang bekerja di balik Gmail, Yahoo! Mail, Outlook.com dan lainnya, selamat! Kamu mendapatkan 🎫 tiket emas untuk membocorkan data login jutaan UMKM dan perusahaan yang mendaftarkan diri di OSS🤘


Pertama-tama, Reinhart akhirnya punya NPWP 3 minggu sebelum si Ghozali punya juga. Good, biar akun @reinhart1010 ga disemprit sama akun @DitjenPajakRI di Twitter.

Lalu, kita memang lagi diskusi untuk bikin perusahaan baru. Mungkin namanya PT. Satu Orang Saja, bisa juga yang lain. Tujuan awalnya sih biar kita bisa gabungin produk/website seperti BINUS Today ke sistem pembayaran (payment gateway) seperti Midtrans. Tapi, setelah dipikir-pikir, mantul juga ya kalau kita bisa bikin perusahaan yang 90% di-manage sama kita. Eh, maksudnya, para robot tercinta! 🦾

Update 31/1/2022

Data pribadi Indonesia bukan bocor, tapi open source.

joinin’ the TEDxBinusUniversity 2021 committee

hi, it’s been awhile since we met together, right? now, for those who’re unaware, Reinhart has been appointed as a Publication committee for TEDxBinusUniversity 2021!!!

&& if you ask what are the jobs for the publication team? sure, we (i mean the TEDx committee bruh)  don’t even have a website and don’t have enough followers on Instagram…

so this time we’ll just simply ask more than 70 official student organizations in BINUS UNIVERSITY to print() that thing!

the jobdesc

there are many secret things here, but 1 thing for sure: making sure that each org has published advertisements for TEDxBinusUniversity via Instagram && “official” websites (the ones starting with student-activity.binus.ac.id)

that means our team will check more than 150 websites && instagram accounts to make sure each one of them have posted it, at least once;

so yeah, monitoring more than a hundred for every (few) days isn’t an easy job, but well, thank God we have build something before…

thank God we have binustoday

wait, what’s binustoday again? it’s originally a Reinhart side project to build a better, full-fledged news app because, the “knowledge” tab on BINUS Mobile doesn’t give any enough “knowledge” to anyone who’s visiting that; just look at what i mean here:

compared to ours (with dark mode):

ha! that’s a bit better, right? you can even search articles by keywords or by the author name (e.g. the Character Building Development Center / CBDC)!

binustoday also collects articles from all of the student organization websites, && that means we can easily check out each one of them whether they have published the ad properly, like this:

phew, binustoday has simplified our workflow for monitoring wensites like these, especially by (ab)using the RSS && WP-JSON endpoints to easily extract data from other sites; so yeah, ase closed && we’ll just need to monitor Instagram accounts!

special thanks to Shiftine for tirelessly helping us in fetching articles like these 🤞

oh hey, it’s HAM!

hello, world! we originally wanna give you a surprise as we “forked” Wikipedia for our own rootness sake!

the name’s Hackapedia && you can curlgrep it on https://hackapedia.reinhart1010.id;

but well, MediaWiki (aka. the software which powers Wikipedia, wikiHow, Fandom/Wikia, && i++) isn’t as flexible as we thought; at least, to be installed in a shared hosting environment; we soon realized that many of Wikipedia’s templates require running some Lua scripts to work, and we weren’t familiar with that; so we afraid that the MediaWiki-based Hackapedia will be able to scale in the future;

meanwhile, one of Reinhart’s undisclosed projects seems to require some sort of API documentation; i mean, just like the API docs[] for PayPal, Firebase, && i++; what if we could just create a framework which allows us not just to build Hackapedia, but also lots && lots of wikis made using the power of Git!

and since shared hosting works best with static files, we should definitely build it; perhaps, using Jekyll, maybe?

Jekyll && Halfmoon: good old friends

well, did you know that our old blog site at https://reinhart1010.github.io was created using Jekyll && Halfmoon? they’re both awesome, right? so we decided to reuse Halfmoon for BINUS Today:

after all, we still consider Halfmoon great && even better than some alternatives (Bootstrap, Primer) for the infamous Dark Mode && customization; && that means wiki authors who will use our framework will be able to easily customize the look && feel of their own through CSS variables!

so say goodbye to Vector && Minerva Neue, we’ll completely make this thing responsive && customizable by default! (thanks again, Halfmoon!)


0th thing 0th, we should clarify what HAM is, and whether our amazing project is completely Halal for some concerned people; HAM originally stands for Hackapedia Article Manager, && the goal of it is just another static content management system (CMS) for (the future version of) Hackapedia; but soon, it become imminent for us to make it recursive, just like WINE which stands for WINE Is Not an Emulator!

so, as you can see on the front page of HAM (https://reinhart1010.github.io/HAM), there are some definitions[] for that!

how HAM actually works

HAM is just yet another gem-based Jekyll theme, with some differences; while Jekyll is commonly used to host blog posts (hence those great websites hosted in GitHub Pages), we’re using it instead to host some sort of documentation, “wiki”-style; well, what defines a wiki? well, according to Wikipedia, a wiki isn’t just about the website, but also a collaborative writing project; that’s why wiki site authors can set their own URLs to let viewers discuss && edit the project, together;

notice that Report New Issue && the View Source button? btw this is yet another internal wiki made with HAM!

HAM is currently under alpha but we’re all loving it; you’ll definitely want to curlgrep out our source code at https://github.com/reinhart1010/HAM && it’s available as jekyll-ham on rubygems.org!

Selamat datang di grup investasi terngakak se-Indonesia!

Bank Mandiri? Bukan. Bank HSBC? Bukan juga. Aplikasi Bareksa atau HQSahamIDX? Bukan.

Ini adalah grup investasi yang mengatasnamakan… CNBC Indonesia!

Selamat, Anda dinobatkan sebagai grup Telegram, maksud saya, grub Telegram terngakak se-Indonesia!

Sebagai hadiah terhadap 𝐀𝐃𝐌𝐈𝐍 𝐂𝐍𝐁𝐂 𝐈𝐍𝐃𝐎𝐍𝐄𝐒𝐈𝐀 yang bekerja keras dalam meraih penghargaan ini, kami akan memberikan hadiah secara langsung kepada segenap tim redaksi CNBC Indonesia, dengan harapan hadiah tersebut dapat dipublikasikan di dalam situs portal berita serta stasiun televisi CNBC Indonesia.

Sekian pengumuman dari kami. Terima kasih.

Catatan: Link grub investasi ini akan diumumkan setelah serah terima hadiah.

Let’s make a virtual expo that doesn’t suck! (Part 1)

So here’s the thing. I believe that virtual expo events, as of now, still sucks so bad.

And apparently, many people have ranted the same thing about virtual expos and conferences especially during 2020. Here’s one from the CEO of Haute Dokimazo:

There isn’t a reason for them to be there live. If it’s just a webcast with a chat, what’s the point? If it’s recorded for later, why show up live? Slides and talking head or audio track? No thanks. Plus, they can listen to it later as a recording while working.

https://www.linkedin.com/pulse/virtual-events-dead-liz-lathan-cmp (Liz Lathan, CMP)

And another rant from a software developer,

The reason that virtual events suck is that we’re trying to replicate in-person events. We’re doing old-school iOS skeumorphism but for primarily social gatherings.

https://aparker.io/posts/virtual-events-suck/ (Austin Parker)

Yet another rant, but this time it’s a YouTube video:

Most virtual events SUCK because they don’t invest in bringing the hosts/MCs/moderators that connects passion, energy, and engagement between the speakers and the attendees. (They mostly focuses on technology and bringing more attendees)

https://youtu.be/9dcup7EO2z8 (Brian Fanzo)

Before continuing to read this blog post, please take a time to read their full opinions on how virtual expos and conferences suck, ’cause I’m feeling the same thing, too.

In addition to that I’ve discovered three main points which made the virtual experience even worse:

1. Attendees love more to explore “What’s Around”, not “What’s Inside”.

Meanwhile, virtual events (in this case, expos and conferences) are too focused on “what’s inside”, instead of “what’s around”.

Now, if you have paid expensive tickets to attend a physical expo/conference in another country, let’s say, Apple’s annual World Wide Developer Conference (WWDC) in San José (taking the WWDC 2019 venue, McEnery Convention Center as an example), I bet you won’t fly to California just to go to WWDC then fly back home, right?

Oh, if you’re curious how far is the WWDC 2019 venue from my home, here’s a map for you:

Some of you will, and in fact have, the opportunity to explore what’s inside the city. Walk around the streets and parks, dine inside malls and restaurants, hang out with some new friends, or even have the opportunity to explore nearby towns and cities which made up the greater Silicon Valley.

Now, you might be thinking how this affects your attendees’ overall experience. In fact, when they enter the physical venue where the event is being held, these attendees often spends time exploring around the area:

  • looking at one booth and another,
  • meet and chat with new people,
  • then attracted to a specific booth which offers free swags and interesting stuff,
  • and finally confused, but then amazed, with the event currently happening on the Main Hall.

However, it’s quite difficult to replicate this kind of experience when it comes into virtual events. Most of the time, those attendees are just “attendees”, who spend an hour or so watching sessions then gone, instead of being the “participants”, who don’t just come to watch those sessions, but also interact with hosts, booths, and other participants, too!

Now, if you have watched a lot of virtual seminars, workshops, exhibitions, and so on, have you interacted, 1:1, with another participant in the same event which you don’t know yet? If you haven’t done that, well that’s one main problem with virtual expos right now, especially when most of them don’t offer that kind of experience yet. Oh yeah, events without discussions could discourage them to watch the entire session at all, as most of the time spent for watching that sessions can also be used to do other things such as work and play.

Now, if there’s a virtual expo where you can’t fully interact with them, then what’s the point of creating new virtual expos at all? Why not create a series of webcast or podcast then consistently upload them to YouTube for others to watch? It’s way more convenient for attendees instead of painfully clicking each exhibition arrows, “floors”, and even the damn Sign Up, Log In (SULI) page where I forgot my supposedly-hard-to-guess password for that account?

Hello? Is anyone there? What are those red buttons (with arrow GIFs)? Help, I’m alone!

Screenshot taken from “Rumah Digital Indonesia” (https://rumahdigitalindonesia.id)

2. Localization is important.

Many virtual expo websites, especially with those mimicking of a real expo space and “hosted” in Indonesia, don’t care much with localization beside translating all of the content. However, some of you might know how localization is both important and powerful in video games to deliver their content to international players, while avoiding conflicts with the players’ culture and ethnicity. Now, how is that important for such a virtual expo? (Spoilers: it’s more than just translations!)

Okay, let me give you an example here. Go to the BINUS Education Virtual Expo (BEVE) website and observe the people on the “Main Lobby”.

None of these reflect the high school students and parents wishing to enroll in BINUS University, which should be the intended audience for this great, futuristic expo. Most people depicted on this picture doesn’t seem to bring children and even babies, as what many families do when attending such an education expo. Oh yeah, where are the lecturers, officials, and committees who spread flyers to those who come into the venue, either?

Then, I’d like to introduce you into a similar virtual expo hosted by Virtual Expo ID. The expo’s lobby are filled with some blonde-haired people. Which unfortunately, they don’t reflect what most Indonesian people look like!

Those two examples might be trivial and silly, but believe me, designing a more suitable (virtual) venue can bring better impressions from intended audiences. And that’s why virtual expo organizers should spend more time improving the venue. It’s like what makes video games such as Minecraft and Fortnite feel good and welcoming towards millions of users no matter their skills or locations.

3. Not friendly towards mobile devices also means you’re not friendly towards attendees.

I don’t need to say again and again that mobile devices have taken the worldwide Internet traffic, That means many users are likely to visit online virtual expos through their mobile phones.

However, many of these virtual expo websites, are not mobile friendly! And why? ‘Cause most mobile devices have their limitations when rendering videos and (3D) graphics to make it run smoothly, and power efficient!

Let’s look at BEVE again. When you look up into one of the “floors”, you’ll get this nice, wonderful 3D graphics:

Now, let’s try to load the same page on mobile and you’ll instead see this list:

Filled with poor color contrast. That’s why we can’t have nice things 🙁

4. SULI (Sign Up, Log In) Madness.

Have you always been asked your email and password just to view what’s inside a physical store or booth?

Now, then why these virtual expos require you to log into an account just to view what’s inside the booth?

This reminds me of one of the worst UX (user experience) practices: requiring people to sign up or log in (SULI) just to view what’s inside. Now, let’s say there’s an online shopping app which uses that bad UX pattern. I bet that most of the users don’t have the idea which items are being sold, ’cause they can only be seen if you have an account! So why bother creating a new account if you’re unsure about that?

Many apps have taken that wise advice, really. Even some apps such as Duolingo took a step further. When you first launch their app, Duolingo simply asks and trains you to understand a new language before asking you to do that SULI thing. So, again, this is something that UI/UX designers and app developers start to take care about. And I really hope that stubborn virtual expo organizers learnt that the hard way.

So, after so much ranting about those virtual expos, we’ll explore new ways to delivering a virtual expo experience that, well, does not suck. Stay tuned for more info!

virtual (background) problems require virtual solutions

many software developers who love && use Linux agree that the Zoom experience on Linux sucks, and one of them is all about virtual backgrounds;

in short, unlike in Windows or macOS or iOS, you can only apply a virtual background in Zoom for Linux by using a chroma key; that means that Zoom for Linux requires you to have either a blue scree or green screen, or how about the infamous blue screen of death?

never mind, but, here’s an actual screenshot of virtual background settings when it comes to Zoom for Linux; yep, that’s definitely different than the ones you might see in Windows or macOS:

even the “blur” option does not work for me, idk if that requires havine an external GPU but i’m turning that Nvidia off cause it wastes more laptop power on Linux than as in Windows;

then, i thought about something; well, virtual backgrounds are supposed to hide your background which could be messy, irrelevant, or discomfort you and your colleagues; perhaps you’re conferencing from your messy bedroom, or there’s another one video conferencing at behind of you; i know right, ’cause i have the same situation here too!

but suddenly my cryptographically-secure random idea generator printf()s this interesting idea:

if you can’t hide your messy background, then hide your messy face!

// ’cause it will protect others’ faces from being visible, too!

so instead of applying my virtual background onto the back of me, what if i’m applying it the other way around;

and voila! i’ve hacked my body for some Matrix hype && pride on Instagram && TikTok:


just turned myself into the matrix thanks to ##zoom‘s poor ##virtualbackground support on ##linux;

♬ original sound – Reinhart Previano

well, sure, if Zoom for Linux start to differentiate me with my shirt (based on color) i’ve got some backup plans for me:

  • just applying that into my shirt, or
  • applying that into my skin, or
  • run that transformation with this magical trick from a specific GitHub repo;

goin’ to digital fashion hype, minus that AR && NFT thing;

applying that virtual background into my solid t-shirt is, in fact, also inspired by the trends of digital fashion; no, not those Bitmojis or virtual avatars, but beyond;

in recent years people have started to buy clothes && shoes which does NOT exist physically, && to ‘wear” them you’ll either need an AR app or email a pic of yourself to be edited, seriously!

but speaking about NFTs, no, ’cause i’ve some different opinions about the so-called blockchains, NFTs, smart contracts, “web 3.0” and so on; but that’s another story to tell, so stay tuned if i announce it for ya!

some last words[] for ya;

&& seriously, i’ll never be the same again thanks to the limitations of Zoom for Linux; not just be able to write codes for many projects, then able to speak programming languages in daily life (as recommended by Tim Cook in 2017), && soon i’m able to not just wear, but be, the code that i have every day;

so yeah, soon i’ll be one with my code; no, not that Visual Studio Code, but every code with i create, work, && love; need some help, summon a new instance of me && i’ll help you through wading a field full of bugs[], overflows[] && NullPointerExceptions[];

is this what it feels when hacker culture meets cyberpunk? i don’t know, but this could be a new one;

&& speaking of that digital rain background;

that piece of art was taken from this site, which does not specify whether the image is appropriate for commercial use; maybe the site took this thing from Pinterest or DeviantArt, but again i’m unsure about that;

since those images don’t seem to be available over Unsplash && some public domain image repos, i’ll currently considering creating a new one myself with a specific shade of green, which could be a great brand identity for the rootheads;